If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I don't know. Quick research on DES talks about weaknesses created by small key sizes (64 bits, which corresponds to eight ASCII characters), but I don't follow if that's directly the problem. I would suspect so.

I'd suggest not using crypt()'s default DES implementation. DES is considered insecure by pretty much everyone, and is, in fact, not a standard anymore.

It appears that in order to change the salt I need to modify the 07 in the salt above to another numeric salt. I am sure I am doing something wrong. most of my other efforts produce two identical hashes. I noticed that the higher the 2 digit number the longer it takes to compile. 13 as in $salt="$2y$13$"; takes about 3 seconds which is as long as I want to try. I suspect the time it takes to compile increases exponentially.

I'm following this discussion (and the others) because it's interesting/useful for me. But I'm confused.

What I'm concerned about is whether crypt() is always consistent across servers. Several times now the two of you have had different results on different servers. I haven't tried it myself, but I've been thinking about switching over to this function.

So, I see three possibilities:
1. crypt() behaves differently on different servers due to which algorithms are available, underlying settings, etc.
(This means that moving hosts would be a huge problem and that code isn't portable in general. It might be better for security, but it's a problem for usability.)

2. James has been doing something wrong the whole time. It's certainly possible, but I can't see what it is, so I wouldn't do it any better. If so, what is the problem? Traq, you seem to be able to avoid the problem-- have you also figured out what James has done wrong, or only how to do it the right way on your server?

3. James's server is broken. crypt() will work as expected everywhere else, and there's just something wrong with php/crypt() on that installation. (I don't know that this is the case, it's just a guess, since it seems very inconsistent.)

Any idea which one might be the case? All I know is that I'm very confused by crypt(), and that I haven't had a lot of free time to play with it. I imagine I'll run into the same problems that James has when I do, though.

Is crypt() available to the same degree on all servers? Are there version differences?

Also: wouldn't it be a worthwhile project to create some functions for the different algorithms that make the arguments more intuitive? So we could create, for example:function blowfish($string,$salt='',$rounds=1)